* Wietse Venema <wie...@porcupine.org>: > Patrick Ben Koetter: > > IIRC smtpd_tls_ask_ccert should not be enabled on publicly referenced MTAs, > > because there are enough MTAs out there unable to handle client certificate > > requests from a server they connect to. > > Is this still true? Assuming that you are referring to MTA-MTA > communication, not end-user MUAs (such as old Netscape clients that > should have fallen to dust by now).
Actually I don't know if it is still true. If not we could ignore the individualization and - ideally - move to to add smtpd_tls_ccert_policy_maps. > > It that is true, would it be possible to make smtpd_tls_ask_ccert client > > dependent e.g. request a ccert when the client sends e.g. a specific HELO > > hostname? > > > > mail.example.com ask_ccert > > .example.net ask_ccert > > Alternatively, allow a richer input to smtpd_tls_ask_ccert besides > yes and no. For example, a (match)list. Yes. Finer control e.g. access(5) actions would be my ultimate wish. p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
